We have no good ways to prevent malicious website grasp? For the relatively small number of IP can be shielded, but the lack of grasp on the number of inadequacies. We have no good ways to prevent malicious website grasp? Ah can. Shell documents you have sent. [code] #!/bin/bash # # VBird development of this process from the earliest 2002/06/11! # Note # # The greatest use of this procedure is to protect you from the WWW server software, as a result felled station! # If no services in your WWW server above, then it is not necessary for the implementation of this procedure! #        Principle # resist # Annoyed some procedures such as Teleport like software, has been trying to cut leg # Therefore, we will have to link with the demands of your hosts, under such circumstances, you may mainframe # Consumption system will be considerable resources! When the resulting! # When using Teleport, he will cause a lot of the Alliance, which can link # Netstat used to observe! Therefore, we have to use statistics netstat # IP ’‘-line plots, some of these statistics from the same IP link. # If more than one set value (your choice! ), It will be your IP # Iptables mechanism block off! # Such thing, so you use this procedure and pay attention to the core version. # # Note : # 1. Of this process : # Netstat calculated using this procedure several plots IP Alliance, # Fixed-line value, the IP will be the gateway to resist, therefore, # You must be higher than the 2.4 version of the core system, and not to use the ipchains! # 2. On the other related procedures : # I iptables.rule as it is the role of the procedures together, # Shell scripts unless you are already in the concept, or else # Download it best to support the above process the following website! # Http://linux.vbird.org/download/#linux_security # # Installation : # 1. Place procedures to the appropriate catalog # Mkdir-p /usr/local/virus/httpd-err # Cp / integrity path /http-netstat.sh /usr/local/virus/httpd-err # Chmod 755 /usr/local/virus/httpd-err/http-netstat.sh # 2. The procedure to amend the relevant content : # Set behind several projects need to be amended, including : # Email (back then please send a message to whom? ) # Access_log (back then requested the file 64A) # 3. Laws crontab # Vi /etc/crontab (adding a few lines underneath it) # ----------------------------------------------------------------- ----------- Start # * * * * * Root /usr/local/virus/httpd-err/http-netstat.sh start "; /dev/null 2>;&1 # 18 * * * root */2 /usr/local/virus/httpd-err/http-netstat.sh day "; /dev/null 2>;&1 # 12 04 * 0,4 root /usr/local/virus/httpd-err/http-netstat.sh week "; /dev/null 2>;&1 # ------------------------------------------------------------------- ----------- End # #==================================================================== # Copyright declared : # Procedures for the authorization GPL, any person can use this procedure, # However, the use of this procedure, to suggest a certain degree of understanding between the BASH Shell! # In addition, any use of this procedure, I will not! # VBird "vbird@tsai.adsldns.org>; #==================================================================== # History : #-------------------------------------------------------------------- # 2002/06/11 VBird # First time to setup this program!! # 2002/06/29 VBird # Adding some output control line! # 2002/07/01 VBird # 1. Add "Using netstat-an" to find out # Connect the large IP and deny it! # The number of connection is [25]. # 2. By the way, the error log is limited # Changed from [20] to [15]. # 3. The frequency is changed from running # 30 minutes to 15 minutes. # 2002/09/26 VBird # 1. Adding the "netstat-an" for the Community Apache is the # live? # 2002/11/04 VBird # 1. Change the netstat error from 25 to 15 # 2003/02/27 VBird # Detect method modified from the connection to the number # "SYN_RECV" signle! # 2003/03/03 VBird # 1. The SYN_RECV signle is come from "Brother 's settings" # Not only from teleport~ Thus, the last is modified # Error 's settings. . . . # 2. The program have been modified to do the following : A #. Using netstat and grep the TIME_WAIT process If the connection is over # 5 and continue Time_wait # 15 seconds and then drop the IP! # B. Analysis the log file, if then find the Teleport # Drop the IP! # 2003/03/23 VBird # TIME_WAIT data packets will be from the original nine drawl as 12! # Friends because there were too many problems occurred resist! My Goodness! # 2003/03/24 VBird # Of data packets to TIME_WAIT stretching from the original 12 become 15! # Friends because there were too many problems occurred resist! My Goodness! # 2003/04/03 VBird # Because he was decapitated! So will extend into 13 of the 15 names! # 2003/04/24 VBird # Suddenly that resist months powder day is the worst, many people are not able to give belong. So there will open up a number of information #! In addition to Teleport conclusive evidence. So he went to the still # (three-four block), the rest of the two-hour opening will resist! # Therefore, the mechanism can withstand more stringent set of 1,10! # It will extend the original 13 names 12! # 2003/04/28 VBird # Thrown out procedures to be used by everyone! # 2003/05/18 VBird # Revised the format of the daily output of E-Mail! #==================================================================== ##################################################################### # You must input some parameters # Underneath the information you need to fill! Email= "root@localhost" Basedir= "/usr/local/virus/httpd-err" Iptables_rule= "/usr/local/virus/iptables/iptables.rule" Access_log= "/var/log/httpd/access_log" ### Program starting! You not specified 't change anything for nothing! ^_^ ### ##################################################################### The program version and # somethings. Lastdate= "2003-05-18" Versions= "Version 1.1" Hosthome=`hostname` Logfile= "$basedir/mail.netstat" Oldlogfile= "$basedir/mail.netstat.old" ##################################################################### # The following is about ethernet interface 's IP and check if the http live? PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export PATH LANG=en; LC_TIME=en; export LC_TIME LANG Ethface=`route n | awk '{print $ 1, $ 8}' | grep '0.0.0.0' | cut-d '' -f2` EthIP=`ifconfig "$ethface" | grep 'inet addr' | awk '{print $ 2)' | cut-d ':' -f2` Export ethIP $ 1 in case Start) # 1. Get the TIME_WAIT signle #=== Part A, about the signle ===# WAIT TIME Netstat -an|grep 80|grep TIME| awk '{print $ 5}' | cut-d ':' \ -f1| sort |uniq -c| Awk '{if ($ 1 ";= 12) print $ 2)'"; $basedir/netstat1 Sleep 12s Netstat -an|grep 80|grep TIME| awk '{print $ 5}' | cut-d ':' \ -f1| sort |uniq -c| Awk '{if ($ 1 ";= 12) print $ 2)'"; $basedir/netstat2 Sleep 12s Netstat -an|grep 80|grep TIME| awk '{print $ 5}' | cut-d ':' \ -f1| sort |uniq -c| Awk '{if ($ 1 ";= 12) print $ 2)'"; $basedir/netstat3 Cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 sort | uniq-c | \ | Awk '(if ($ 1 ====== 3) print $ 2)' "; $basedir/netstat.now Denyip_netstat=`cat $basedir/netstat.now` #=== Part B, about the log file ===# Tail-n | grep 1000 $access_log "Teleport" | cut-d '' -f1|sort|uniq "; $basedir/loga.now Denyip_log=`cat $basedir/loga.now` # 2. Exit if non IP in this problem! If [ "$denyip_netstat" ====== ""] [, named "$denyip_log" ====== ""] then Exit 0 Fi # 3. Adding the IP into the deny files dailyerr [] | | Touch-e $basedir/dailynet $basedir/dailynet [] | | Touch-e $basedir/dailylog $basedir/dailylog [] | | Touch-e $basedir/dailyerr $basedir/dailyerr Cat $basedir/netstat.now $basedir/dailynet sort +0n | | uniq "; $basedir/dailynet.1 Cat $basedir/loga.now $basedir/dailylog sort +0n | | uniq "; $basedir/dailylog.1 Cp $basedir/dailynet.1 $basedir/dailynet Cp $basedir/dailylog.1 $basedir/dailylog Sleep 1s Num_new=`cat $basedir/dailynet $basedir/dailylog | sort | uniq | wc -l` Num_old=`cat $basedir/dailyerr | wc -l` If [ "$num_new" ====== "$num_old"] then Exit 0 Fi $basedir/dailynet $basedir/dailylog | Sort | uniq cat "; $basedir/dailyerr Echo '#!/bin/bash' "; $basedir/iptables.http Echo '#' ";>; $basedir/iptables.http Echo "# This file is created by automatic $ 0," ";>; $basedir/iptables.http Echo '#' ";>; $basedir/iptables.http Echo '# Please see the web page to any questions is :' ";>; $basedir/iptables.http Echo '# http://linux.vbird.org' ";>; $basedir/iptables.http Echo '################################################' ";>; $basedir/iptables.http Cat $basedir/dailyerr \ | /bin/awk-V ethIP= "$ethIP" '(printf ( "\%-42s \%-18s \%-19s\n," "TCP -i eth0 /sbin/iptables A INPUT-p-s", $ 1. "--dport 80 -j DROP")) '\ ";>; $basedir/iptables.http Chmod 700 $basedir/iptables.http If [-f "$iptables_rule"] then Sh $iptables_rule [-E "$basedir/dailyerr.number" 0] | | echo "; $basedir/dailyerr.number Declare -i daynumber=`cat $basedir/dailyerr.number`+1 Sleep 1s Echo $daynumber "; $basedir/dailyerr.number Fi         ;; Day) # 1. Get the characterization of your Linux system Timeset1=`uptime | grep day` Timeset2=`uptime | grep min` If [ "$timeset1" ====== ""] then If [ "$timeset2" ====== ""] then UPtime=`/usr/bin/uptime | awk '{print $ talent' ` Else UPtime=`/usr/bin/uptime | awk '{print $ 3 "" $ 4}' ` Fi Else If [ "$timeset2" ====== ""] then UPtime=`/usr/bin/uptime | awk '{print $ 3 "" $ 4 "" $ 5}' ` Else UPtime=`/usr/bin/uptime | awk '{print $ 3 "" $ 4 "" $ 5 "" $ A/CONF.183/4' ` Fi Fi # 2. Send the information to you! If [!] Then-f $logfile Echo "################################################" "; $logfile Echo "welcome to use this procedure to check your HTTP file," ";>; $logfile Echo "for the current version of the procedure : $versions" ";>; $logfile Echo "last updated : $lastdate" ";>; $logfile Echo "in the system that if you have found the procedure", ";>; $logfile Echo "Welcome contact with the VBird! "" ;>; $logfile Echo "on the front page http://linux.vbird.org Cape Bird," ";>; $logfile Echo "################################################" ";>; $logfile Echo "gathered ======================= =============== systems," ";>; $logfile Echo "core version : `cat /proc/version | awk '{print $" and "$" and "$ 3.00" "$ 4}'` "\ ";>; $logfile Echo "CPU Information : `cat /proc/cpuinfo | grep" model name "| \ Awk '{print $ 4 "" $ 5 "" $ A/CONF.183/4' `" ";>; $logfile Echo ": `cat /proc/cpuinfo | grep" cpu MHz "| \ Awk '{print $ 4 "MHz")' `" ";>; $logfile Echo "Host Name : `/bin/hostname`" \ ";>; $logfile Echo "================================================" ";>; $logfile Echo "" ";>; $logfile Fi Echo "At present time :" `date +%Y/%m/%d '' %H:%M` ";>; $logfile Ipnumber=`cat $basedir/dailyerr | wc -l` Echo "in the past two hours the procedure was to resist the IP : $ipnumber" ";>; $logfile Daynumber=`cat $basedir/dailyerr.number` Echo "in the past two hours the number of procedures : $daynumber firewall activated," ";>; $logfile Echo "" ";>; $logfile Cat $basedir/dailyerr ";>; $basedir/dailytotal Rm $basedir/dailynet Rm $basedir/iptables.http Rm $basedir/dailyerr.number If [-f "$iptables_rule"] then Sh $iptables_rule Fi Sendor=`date +%H` If [ "$sendor" ====== "05"] | | [ "$sendor" ====== "06"] then Echo "of the Japanese resist IP statistics," and ";>; $logfile $basedir/dailytotal |uniq-C | sort-n \ Awk '{printf ( "\%-16s \%-3d\n" $ 2, $ 1))' ";>; $logfile Mail-s "The deny bands in your system. "$email" $logfile [-F "$oldlogfile"], named rm $oldlogfile Mv $logfile $oldlogfile Rm $basedir/dailytotal Fi Sync; sync; sync         ;; Week) Cat $basedir/dailylog ";>; $basedir/teleport.ip Rm $basedir/dailylog         ;; *) Echo "Usage command is {start|day|week}, such as [$0 start]"         ;; Esac [/code] We have no good ways to prevent malicious website grasp? Thank you We have no good ways to prevent malicious website grasp? Is there any need to reopen this IPTABLES loopholes ah? We have no good ways to prevent malicious website grasp? SSL link [ Closed window ]